tests: rebuild OVMF and use generated keys

.woke.yaml

@@ -13,3 +13,4 @@ ignore_files:
   - packaging/fedora/snapd.spec
   - packaging/ubuntu-14.04/changelog
   - packaging/ubuntu-16.04/changelog
+  - tests/lib/snaps/store/test-snapd-ovmf/snapcraft.yaml

spread.yaml

@@ -109,7 +109,6 @@ environment:
     NESTED_REPACK_KERNEL_SNAP: '$(HOST: echo "${NESTED_REPACK_KERNEL_SNAP:-true}")'
     NESTED_REPACK_GADGET_SNAP: '$(HOST: echo "${NESTED_REPACK_GADGET_SNAP:-true}")'
     NESTED_REPACK_BASE_SNAP: '$(HOST: echo "${NESTED_REPACK_BASE_SNAP:-true}")'
-    NESTED_FORCE_MS_KEYS: '$(HOST: echo "${NESTED_FORCE_MS_KEYS:-false}")'
     NESTED_KERNEL_MODULES_COMP: '$(HOST: echo "${NESTED_KERNEL_MODULES_COMP:-}")'
 
     # Whether we should use snapd snap ./built-snap/ directory

tests/lib/nested.sh

@@ -66,6 +66,7 @@ nested_wait_vm_ready() {
         # Check the vm is active
         if ! systemctl is-active "$NESTED_VM"; then
             echo "Unit $NESTED_VM is not active. Aborting!"
+            journalctl -u "${NESTED_VM}"
             return 1
         fi
 
@@ -399,12 +400,11 @@ nested_refresh_to_new_core() {
 }
 
 nested_get_snakeoil_key() {
-    local KEYNAME="PkKek-1-snakeoil"
-    local VERSION
-    VERSION="$(nested_get_version)"
-    wget -q https://raw.githubusercontent.com/snapcore/pc-amd64-gadget/"$VERSION"/snakeoil/"$KEYNAME".key
-    wget -q https://raw.githubusercontent.com/snapcore/pc-amd64-gadget/"$VERSION"/snakeoil/"$KEYNAME".pem
-    echo "$KEYNAME"
+    nested_ensure_ovmf >/dev/null
+
+    cp "${NESTED_ASSETS_DIR}/ovmf/secboot/DB.key" DB.key
+    cp "${NESTED_ASSETS_DIR}/ovmf/secboot/DB.crt" DB.pem
+    echo DB
 }
 
 nested_secboot_remove_signature() {
@@ -1160,6 +1160,16 @@ nested_force_stop_vm() {
     systemctl stop "$NESTED_VM"
 }
 
+nested_ensure_ovmf() {
+    if [ -d "${NESTED_ASSETS_DIR}/ovmf" ]; then
+        return
+    fi
+    if ! [ -f "${NESTED_ASSETS_DIR}/test-snapd-ovmf.snap" ]; then
+        snap download --channel=latest/edge test-snapd-ovmf --basename=test-snapd-ovmf --target-directory="${NESTED_ASSETS_DIR}"
+    fi
+    unsquashfs -d "${NESTED_ASSETS_DIR}/ovmf" "${NESTED_ASSETS_DIR}/test-snapd-ovmf.snap"
+}
+
 nested_force_start_vm() {
     # if the $NESTED_VM is using a swtpm, we need to wait until the file exists
     # because the file disappears temporarily after qemu exits
@@ -1274,43 +1284,27 @@ nested_start_core_vm_unit() {
         PARAM_ASSERTIONS="-drive if=none,id=stick,format=raw,file=$NESTED_ASSETS_DIR/assertions.disk,cache=none,format=raw -device nec-usb-xhci,id=xhci -device usb-storage,bus=xhci.0,removable=true,drive=stick"
     fi
     if nested_is_core_ge 20; then
-        # use a bundle EFI bios by default
-        local OVMF_CODE OVMF_VARS
-        OVMF_CODE=""
-        OVMF_VARS=""
-
-        if nested_is_core_ge 22; then
-            wget -q https://storage.googleapis.com/snapd-spread-tests/dependencies/OVMF_CODE.secboot.fd
-            mv OVMF_CODE.secboot.fd /usr/share/OVMF/OVMF_CODE.secboot.fd
-            wget -q https://storage.googleapis.com/snapd-spread-tests/dependencies/OVMF_VARS.snakeoil.fd
-            mv OVMF_VARS.snakeoil.fd /usr/share/OVMF/OVMF_VARS.snakeoil.fd
-            wget -q https://storage.googleapis.com/snapd-spread-tests/dependencies/OVMF_VARS.ms.fd
-            mv OVMF_VARS.ms.fd /usr/share/OVMF/OVMF_VARS.ms.fd
-            OVMF_CODE="_4M"
-            OVMF_VARS="_4M"
-        fi
-
-        if nested_is_secure_boot_enabled; then
-            OVMF_CODE=".secboot"
-            if [ "$NESTED_FORCE_MS_KEYS" != "true" ] && { [ "$NESTED_BUILD_SNAPD_FROM_CURRENT" = "true" ] || [ "${NESTED_FORCE_SNAKEOIL_KEYS:-false}" = "true" ] ; }; then
-                OVMF_VARS=".snakeoil"
-            else
-                OVMF_VARS=".ms"
-            fi
-        fi
-
+        nested_ensure_ovmf
+        local OVMF_CODE OVMF_VARS OVMF_VARS_SECBOOT OVMF_VARS_CURRENT OVMF
         if os.query is-arm; then
-            if [ -z "${NESTED_KEEP_FIRMWARE_STATE-}" ] || ! [ -e "$NESTED_ASSETS_DIR/AAVMF_VARS.fd" ]; then
-                cp -f "/usr/share/AAVMF/AAVMF_VARS.fd" "$NESTED_ASSETS_DIR/AAVMF_VARS.fd"
-            fi
-            PARAM_BIOS="-drive file=/usr/share/AAVMF/AAVMF_CODE.fd,if=pflash,format=raw,unit=0,readonly=on -drive file=$NESTED_ASSETS_DIR/AAVMF_VARS.fd,if=pflash,format=raw"
+            OVMF=QEMU
         else
-            if [ -z "${NESTED_KEEP_FIRMWARE_STATE-}" ] || ! [ -e "$NESTED_ASSETS_DIR/OVMF_VARS${OVMF_VARS}.fd" ]; then
-                cp -f "/usr/share/OVMF/OVMF_VARS${OVMF_VARS}.fd" "$NESTED_ASSETS_DIR/OVMF_VARS${OVMF_VARS}.fd"
+            OVMF=OVMF
+        fi
+        OVMF_CODE="${NESTED_ASSETS_DIR}/ovmf/fw/${OVMF}_CODE.fd"
+        OVMF_VARS="${NESTED_ASSETS_DIR}/ovmf/fw/${OVMF}_VARS.fd"
+        OVMF_VARS_SECBOOT="${NESTED_ASSETS_DIR}/ovmf/fw/${OVMF}_VARS.enrolled.fd"
+        OVMF_VARS_CURRENT="${NESTED_ASSETS_DIR}/ovmf/fw/${OVMF}_VARS.current.fd"
+
+        if [ -z "${NESTED_KEEP_FIRMWARE_STATE-}" ] || ! [ -e "${OVMF_VARS_CURRENT}" ]; then
+            if nested_is_secure_boot_enabled; then
+                cp -fv "${OVMF_VARS_SECBOOT}" "${OVMF_VARS_CURRENT}"
+            else
+                cp -fv "${OVMF_VARS}" "${OVMF_VARS_CURRENT}"
             fi
-            PARAM_BIOS="-drive file=/usr/share/OVMF/OVMF_CODE${OVMF_CODE}.fd,if=pflash,format=raw,unit=0,readonly=on -drive file=$NESTED_ASSETS_DIR/OVMF_VARS${OVMF_VARS}.fd,if=pflash,format=raw"
-            PARAM_MACHINE="-machine q35${ATTR_KVM} -global ICH9-LPC.disable_s3=1"
         fi
+        PARAM_BIOS="-drive file=${OVMF_CODE},if=pflash,format=raw,readonly=on -drive file=${OVMF_VARS_CURRENT},if=pflash,format=raw"
+        PARAM_MACHINE="-machine q35${ATTR_KVM}"
 
         if nested_is_tpm_enabled; then
             if snap list test-snapd-swtpm >/dev/null; then

tests/lib/snaps/store/test-snapd-ovmf/efitools-ms-kek.patch

@@ -0,0 +1,13 @@
+diff --git a/Make.rules b/Make.rules
+index 903a5a4..5328063 100644
+--- a/Make.rules
++++ b/Make.rules
+@@ -81,7 +81,7 @@ endif
+ 	./cert-to-efi-sig-list -g $(MYGUID) $< $@
+
+ getcert = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo "-c PK.crt -k PK.key"; else echo "-c KEK.crt -k KEK.key"; fi)
+-getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); else echo db; fi)
++getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); elif [ "$(1)" = ms-kek ]; then echo KEK; else echo db; fi)
+
+ %.auth: %.esl PK.crt KEK.crt sign-efi-sig-list
+ 	./sign-efi-sig-list $(call getcert,$*) $(call getvar,$*) $< $@

tests/lib/snaps/store/test-snapd-ovmf/efitools-updatevars-temporary-constants.patch

@@ -0,0 +1,28 @@
+diff --git a/UpdateVars.c b/UpdateVars.c
+index 2d21563..00027cb 100644
+--- a/UpdateVars.c
++++ b/UpdateVars.c
+@@ -28,15 +28,19 @@ efi_main (EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
+ 	EFI_GUID *owner;
+ 	CHAR16 **variables;
+ 	EFI_GUID **owners;
++	CHAR16 *variables_dbt[] = { L"PK", L"KEK", L"db", L"dbx", L"dbt", L"MokList" , NULL};
++	EFI_GUID *owners_dbt[] = { &GV_GUID, &GV_GUID, &SIG_DB, &SIG_DB, &SIG_DB, &MOK_OWNER };
++	CHAR16 *variables_nodbt[] = { L"PK", L"KEK", L"db", L"dbx", L"MokList" , NULL};
++	EFI_GUID *owners_nodbt[] = { &GV_GUID, &GV_GUID, &SIG_DB, &SIG_DB, &MOK_OWNER };
+
+ 	InitializeLib(image, systab);
+
+ 	if (GetOSIndications() & EFI_OS_INDICATIONS_TIMESTAMP_REVOCATION) {
+-		variables = (CHAR16 *[]){ L"PK", L"KEK", L"db", L"dbx", L"dbt", L"MokList" , NULL};
+-		owners = (EFI_GUID *[]){ &GV_GUID, &GV_GUID, &SIG_DB, &SIG_DB, &SIG_DB, &MOK_OWNER };
++		variables = variables_dbt;
++		owners = owners_dbt;
+ 	} else {
+-		variables = (CHAR16 *[]){ L"PK", L"KEK", L"db", L"dbx", L"MokList" , NULL};
+-		owners = (EFI_GUID *[]){ &GV_GUID, &GV_GUID, &SIG_DB, &SIG_DB, &MOK_OWNER };
++		variables = variables_nodbt;
++		owners = owners_nodbt;
+ 	}
+
+ 	status = argsplit(image, &argc, &ARGV);

tests/lib/snaps/store/test-snapd-ovmf/lockdown-image/repart.d/01-efi.conf

@@ -0,0 +1,3 @@
+[Partition]
+Type=esp
+CopyFiles=/efi:/

tests/lib/snaps/store/test-snapd-ovmf/lockdown-image/root/efi/startup.nsh

@@ -0,0 +1,8 @@
+LockDown.efi
+UpdateVars.efi -a db snakeoil-update.auth
+UpdateVars.efi -a db kernel-edge-20-22-update.auth
+UpdateVars.efi -a db kernel-edge-24-update.auth
+UpdateVars.efi -a KEK ms-kek-pkupdate.auth
+UpdateVars.efi -a db ms-uefi-update.auth
+UpdateVars.efi dbx initial-dbx.auth
+reset -s

tests/lib/snaps/store/test-snapd-ovmf/snakeoil/PkKek-1-snakeoil.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIUSbJC1oRCJUbGkwfWHscBeZrRHZcwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UECgwJU25ha2UgT2lsMB4XDTE5MTEwMTIyMDI1NVoXDTE5MTIw
+MTIyMDI1NVowFDESMBAGA1UECgwJU25ha2UgT2lsMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAzUDpJwDzDpLo2ytVRSgt/QWRYk/Yjae5fbujitq73XYL
+uDZ+/Wf5U6zpOfyfzX/l5R0KCV9XYUJF47QEmNCnoWpg3cRdRry+3FIYtdnNK151
+AZ2L74OI4sMX1akSE+MfZFgdPFcm+n0uJgQuvRYGyYaR6N1wbhJ/2iOOba+sbKyc
+aKiL1fSjip2criHA/05cYSomdUT+rTUZALFdCQuOU+gX8Rqhmfbo8VEE7MpE3nrv
+HocQAFphyYgG8jadjggymE7sQEZGrBqOrwMDHitbpoGNlOI2VdFgL5jRKHuB61iC
+kqTmSWuS4lbOEJmms6hhQnTnu/yK7O3NEWegAPMrtQIDAQABo1MwUTAdBgNVHQ4E
+FgQUFD7OXb2T6sOysRo3hj2f15SX8I8wHwYDVR0jBBgwFoAUFD7OXb2T6sOysRo3
+hj2f15SX8I8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANZRB
+NFVUVZVehpj3QGbbSjp77m0V6JrEYn6u/XjLRFsUNw5Hh35UCR0HkKZ0cLgrVKb/
+8yL6LaYLOY6yDwEFWMtLXiF2S4noO8raEgW6A7DHawb2Y4ZNFRO4oBkyWbtd36Uu
+UfSszs2av048wb5J/pNedRSx8I/FiCNWummzpkBHzx023TdLPd8fmkmG7ZBpStN0
+Y//EE4DKTfHxAwt5w7WdZF5EY/KHPopnR+WSrdutRIK6zT+/+vKihtHYZbrv+7Ap
+K7xOM/zJ6E9vUROmuOhL3YL3MuLn5qHEvhM0eMxEAlCnSJlFkQE4/RXhDpZJYbR7
+x+PQllgoo4H6W30Dew==
+-----END CERTIFICATE-----

tests/lib/snaps/store/test-snapd-ovmf/snakeoil/kernel-edge-20-22.crt

@@ -0,0 +1,23 @@
+subject=CN=PPA canonical-kernel-team uc20-build UEFI
+issuer=CN=PPA canonical-kernel-team uc20-build UEFI
+-----BEGIN CERTIFICATE-----
+MIIDOzCCAiOgAwIBAgIJANAnelPzxGcFMA0GCSqGSIb3DQEBCwUAMDQxMjAwBgNV
+BAMMKVBQQSBjYW5vbmljYWwta2VybmVsLXRlYW0gdWMyMC1idWlsZCBVRUZJMB4X
+DTIwMDUxMTE3MjEwNFoXDTMwMDUwOTE3MjEwNFowNDEyMDAGA1UEAwwpUFBBIGNh
+bm9uaWNhbC1rZXJuZWwtdGVhbSB1YzIwLWJ1aWxkIFVFRkkwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDD4P2NFFV1/RP3OzllI+su2KSOmN0AcFXQ6SbD
+b152f9WjfqbfAg2OB7WB6l2LBQVT8ak3fzRl/cEvCju8FtB1mNgU+oFKNZbVivf0
+L0zd+wAwiP8o7l4L13ssyeh0/4iaQ5Dqocjrptl+fRu86N3wOyZ/CW9NGj9a0zWP
+TZ5ts7PE1XL1YqpqMp7tUUgrjlcatiStQ5iju5ETg3P8+KpXjxvVRXPjBm6GMmKM
+PuJN82MS2J0EaTBOX7N7prExM9MYnfIG+bkWXU4HVEh6eAwpF1wFE9ugzRm6mrAg
+5+XB5iF7RL3b9SBhU/gXvj5BgYuzJSCNvEnwgTE8KGlbvS+dAgMBAAGjUDBOMB0G
+A1UdDgQWBBQx0U3/bz0E2+nXXIgcA7MohFmVHjAfBgNVHSMEGDAWgBQx0U3/bz0E
+2+nXXIgcA7MohFmVHjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCU
+IqwVmXP/Rg3uta5WKLC3JKNgC8yHXN3m8JRubSBrX/Fi1YI5xqXf+WHs7Ga/KP9n
+xIoUOYZUl3jpJlxxjLZABTkrA4NOPUGAs9v9iur4ox0JqvXjqhN/BCFGQd6yAfFE
+AsbXppgp32vQvMHmyfUbMnhtLjU4DS90q/G5miIdZx6vm/4VyYRiK7ds9zThMK+q
+LM3c+LaoB47GTzcyKOdjuWVumq/h4YVMoYIyiltmK9fY0yRwRP+GR4aM9FrIXo1o
+tUx4027AUliM0plkx8TWAehovAjIFWZ6ZJBX7f9lwL4dRFNKMfLfN4Q1idTTLcol
+to5k4Js3yWIuRMmlZKEb
+-----END CERTIFICATE-----
+

tests/lib/snaps/store/test-snapd-ovmf/snakeoil/kernel-edge-24.crt

@@ -0,0 +1,24 @@
+subject=CN=PPA canonical-kernel-team ppa
+issuer=CN=PPA canonical-kernel-team ppa
+-----BEGIN CERTIFICATE-----
+MIIDXjCCAkagAwIBAgIJAOUmq1qLuzz/MA0GCSqGSIb3DQEBCwUAMCgxJjAkBgNV
+BAMTHVBQQSBjYW5vbmljYWwta2VybmVsLXRlYW0gcHBhMB4XDTEyMTAxOTE1NTA0
+OVoXDTIyMTAxNzE1NTA0OVowKDEmMCQGA1UEAxMdUFBBIGNhbm9uaWNhbC1rZXJu
+ZWwtdGVhbSBwcGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKrpj4
+Fdqggxw6fl3fwhOo5YAaXEaB0gq2NSsrMQLVe3Q3SzZPPrPAKCwPvG6dZYxbNeGS
+e3Jdwnqovsrn2V50T+01AuDh6WB6bTVNXtAvjDJyCN030+g9Nn5yUGNUPg7jDTvM
+eliYVVV4gBNjOwjBTkeKa5kEmXV0zBuX0lB6F8sq8iM7jK8N642dOqd3ImA/uuNA
+tNClV2MzpN1i1Z1L88JWDLwpJ/lXugSkGu/Zl4WlX5BoxdA0Czesy0K8Pbug+AHS
+RlF59LtUmbL5PCbzO6M1WymXzSM3nEJtc8KA/fMieNR1yZIIS+wuTVsbhbx4Bumh
+CfDuDFK/yASm91AHAgMBAAGjgYowgYcwHQYDVR0OBBYEFFXASWHxBDpz4VDQW87q
+IHMg2IX+MFgGA1UdIwRRME+AFFXASWHxBDpz4VDQW87qIHMg2IX+oSykKjAoMSYw
+JAYDVQQDEx1QUEEgY2Fub25pY2FsLWtlcm5lbC10ZWFtIHBwYYIJAOUmq1qLuzz/
+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGYoHI7FNoGejbeQyZOj
+ciDQvPVoXnYxWWQRp3uz9r0IbO0G0rF4nLreNkzwwRXtRaYJboY1XinL/KMclbyP
+wnm5uZTuJ5KobLOsOyeM5EK5Fz5wARkuQ4kvkocgFFdUvdDi0xS5ZLsi1PbAGinc
+q5ByfnPCLSd8Wfs+KBmhrg6Od45uhJ5UUbvDwOOGkDPjpqXcuod9y3n/DXLagTOE
+rGCQwLlmRKdsuRgxC+WBDqzCrOw/93QAL2jILd2tHHHq/mOlVdFWWnybIy0n+KEP
+Ck2ZiEtB/ReoZUxUIXnmNtojishNKfKiMISNezI8SRKgwSvzNQaRCzdkJJo5RV/S
+s9s=
+-----END CERTIFICATE-----
+